An IT Networking Informational Spot

Category Archives: Development

A coder that goes by the online handle “Hephaestos” has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer in which it’s plugged in.

USBkill, as the programmer dubbed it, “waits for a change on your USB ports, then immediately kills your computer.”

The device would be useful “in case the police comes busting in, or steals your laptop from you when you are at a public library (as with Ross [Ulbricht]),” Hephaestos explained.

Using a cord to attach the USB key to one’s wrist will assure that the USB is removed instantly with a quick tug upon the arrest of the user or the seizure of the computer.

Of course, if the user doesn’t use full disk encryption in the first place, the device becomes useless.

Hephaestos says that USBkill is still in the early stages, but that it works, and works well.

An anonymous reader writes: UI designer Eli Schiff has posted an article about the “climate of fear” surrounding Apple in the software development community. He points out how developers who express criticism in an informal setting often recant when their words are being recorded, and how even moderate public criticism is often prefaced by flattery and endorsements.

Beyond that, the industry has learned that they can’t rely on Apple’s walled garden to make a profit. The opaque app review process, the race to the bottom on pricing, and Apple’s resistance to curation of the App Store are driving “independent app developers into larger organizations and venture-backed startups.” Apple is also known to cut contact with developers if they release for Android first. The “climate of fear” even affects journalists, who face not only stonewalling from Apple after negative reporting, but also a brigade of Apple fans and even other journalists trying to paint them as anti-Apple.

Staying on top of the latest web exploits can be a challenge for Network Admins who are worried about simply keeping up with all the day-to-day management tasks required by a complex environment. This whitepaper details many of the most recent popular SSL-related exploits that your network is likely vulnerable to, along with simple steps you can immediately take to protect yourself.

Armed with the right tools and know how, Network and Security Admins can take the right steps to lock down their networks from viable dangers. The reality is that brute force attacks are not new, but remain a viable danger to your network – even if you are securing it by more traditional means.

This article details many of the most prevalent SSL exploits that your network could be vulnerable to, ranging from not using HSTS (HTTP Strict Transport Security) to the more theoretical BEAST (Browser Exploit Against SSL/TLS) attacks. Most importantly, this paper offers some simple steps you can take to protect your network now. A few of the ten defense techniques you will learn are:

At the moment, there is little more than speculation as to the appearance today of an ominous note greeting visitors to the TrueCrypt page at SourceForge. The text warns that the open source encryption software is not secure and informs users that development has been terminated.

It’s unclear whether the site has been defaced or whether the developers are aware of a critical vulnerability or backdoor that would jeopardize the integrity of the software, which has been downloaded more than 28 million times.

An audit of TrueCrypt was commissioned last year in order to determine if the software had been tampered with in the wake of the Edward Snowden leaks and the depths of surveillance by the National Security Agency. The results of the first phase of the audit were released on April 14 by iSEC Partners on behalf of the Open Crypto Audit Project and no backdoors were found. The first phase focused on the TrueCrypt bootloader and Windows kernel driver. Architecture and code reviews were performed, said Kenneth White, senior security engineer at Social & Scientific Systems, one of the OCAP architects.

A second phase, which has not yet begun, will focus on whether encryption suites, random number generators and critical algorithms have been properly implemented.

Many experts are downplaying the possibility that this is a defacement. Runa A. Sandvik, a privacy and security researcher and advisor on the TrueCrypt audit, told Threatpost that the current version listed on the SourceForge page, version 7.2, was signed yesterday with the same key used by the TrueCrypt Foundation for as long as two years. This was also confirmed by Kaspersky Lab researcher Costin Raiu.

“With a defacement, you would usually just expect to see the website change. In this change, the software seems to have changed as well,” Sandvik said. “The software has been modified to display a warning when you start it, as well as display a warning as part of the standard UI.”

Sandvik said she performed a quick analysis on the installer and saw no network traffic emanating from it.

“If the installer had a keylogger, you would expect the installer to at some point connect to another host and transfer information. Since there is no network traffic, there is no part of the installer that attempts to call home,” Sandvik said. “Note that I just did a very quick analysis, a deeper dive might uncover sketchy bits and pieces.”

Speculation ran amok on Twitter as well that the shutdown had to do with an impending announcement regarding the TrueCrypt audit, which White said, via his Twitter feed, is unfounded and that the announcement has to do with an upcoming OCAP initiative.

“As a general rule, any time a high-profile site gets replaced with a terse static page (much less redirects), I would urge caution,” White told Threatpost, adding that OCAP had reached out to the TrueCrypt developers seeking more information. “But at the moment, I’m afraid I don’t have much to add.”

Facebook received a total of 14,763 submissions in 2013, up 246 per cent from the previous year.

Saturday, April 05, 2014: Social networking giant, Facebook has revealed some statistics about its bug bounty program 2013, and it has come to light that India reported the largest number of bugs under the program last year. India accounts for roughly over 93 million Facebook users and successfully reported the most valid bugs, 136, with payouts averaging $1,353.

Facebook received a total of 14,763 submissions in 2013, up 246 per cent from the previous year, of which 687 bugs were found to be valid and eligible to receive rewards. Every submission was reviewed individually by a security engineer. Of the bugs reported, nearly 6 percent were categorised as high-severity. “India contributed the largest number of valid bugs at 136, with an average reward of $1,353 (Rs 80,000 approximately). The US reported 92 issues and averaged $2,272 (approximately Rs 1,35,000) in rewards,” Facebook quoted in a post.

Meanwhile, researchers in Russia earned the highest average amount per report in 2013, $3,961. It reported a total of 38 bugs. “We’ve paid over $2 million since we got started in 2011, and in 2013 we paid out $1.5 million to 330 researchers across the globe.” said Facebook. Most of the bugs reported were those discovered in non-core properties. “2014 is looking good so far. The volume of high-severity issues is down, and we’re hearing from researchers that it’s tougher to find good bugs,” Facebook added.

IT security professionals are on the front lines against web threats. A web threat is anything on the Internet that facilitates cybercrimes, including computer viruses, denial-of-service attacks and malware that target computer networks and devices. Other cybercrimes include cyber stalking, fraud and identity theft, information warfare, and phishing scams, all of which use computer networks and devices to facilitate other crimes. Financial damages, identity theft, loss of confidential information or data, damage to a company’s brand or a person’s reputation, and declining consumer confidence are just some of the risks posed by Web threats.

Web Threats Are Serious Threats

Every individual on every desktop and mobile computing device connected to the Internet is vulnerable to Web threats. Organizations worldwide are more dependent than ever on conducting business through the Internet. That dependence, combined with ever-changing Web threats, means most organizations are at risk every day of losing data, productivity and revenue. The increasing need for protection against the losses caused by Web threats is driving the growth of information systems (IS) security jobs.

Web threats often enter networks without user knowledge. They can also be triggered by clicking on a hyperlink or executable file attachment in a spam email. Once in a system, Web threats spawn variants, creating a chain reaction that spreads through the Web to infect more machines and perform more malicious activities.

Fighting Back Against Cyber Threats With IT Security

IT professionals specializing in IS security work need to stay up-to-date on cyber threats. Typically, they manage known threats from known sources through URL filtering and content inspection solutions. These require frequent updates, but are generally effective. It has become clear in recent years that multi-layered protection is necessary to fully protect consumers and businesses from web threats.

The “layers” referred to include the cloud, the Internet gateway, network servers and individual computers. The multi-layer approach integrates antivirus, anti-phishing, anti-spyware and anti-spam protection with website analysis using multiple techniques, such as source reputation and content clearing.

Top 10 Web Threats

Web threats are more damaging and extensive than ever. Nearly any website can either host malware or send the user to one that does. And infections are more likely to result from a visit to a legitimate website that has been compromised with spyware than from a phony site set up specifically to spread malware.

Last year, IT security firm Symantec released a list of history’s 10 most notorious Web threats:

I Love You (2000): This worm used a friendly phrase to entice users to open it. Ultimately, the Pentagon, CIA and British Parliament’s email systems were shut down in an effort to fight it.
Conficker (2009): Conficker allows its creators to remotely install software on infected machines. Later, it could possibly be used to create a botnet that can be rented out to criminals seeking to steal identities and direct users to online scams and phishing sites.
Melissa (1999): Named for the exotic dancer its creator was obsessed with, this virus kicked off a long period of high-profile threats between 1999 and 2005.
Slammer (2003): A fast-moving, aggressive worm, Slammer brought much of the Internet down in January, 2003.
Nimda (2001): This mass-mailing worm uses multiple methods to spread itself and became the Internet’s most widespread worm in 22 minutes. Its name is “admin” in reverse.
Code Red (2001): Websites with the Code Red worm were defaced by the phrase “Hacked By Chinese!”
Blaster (2003): The Blaster worm launched a denial of service attack against Microsoft’s Windows Update website.
Sasser (2004): Capable of spreading without user intervention, Sasser caused Delta Airlines to cancel some of its flights.
Storm (2007): Another worm directed at Microsoft, it was observed sending almost 1,800 emails from a single machine in a five-minute period.
Morris (1988): An old worm that remains famous and allows current worms to exist, Morris was created innocently in an attempt to gauge the size of the Internet.
Top Trends in Cyber Threats

Hackers and cyber thieves are continuously launching new Web threats – often tied to newsworthy events:
In December, 2010, supporters of the website WikiLeaks protested against MasterCard and Swiss bank PostFinance’s disruption of funding to the site by attacking their websites. The hackers, dubbed Anon_Operation, said they had brought down mastercard.com with denial of service attacks.
In June, 2010, spammers and scammers took advantage of national interest in the FIFA World Cup in South Africa to release spam, scams, advance-fee “419” fraud and malware attacks.
The average rate for malware in email traffic in 2010 was one in 284.2 emails, according to Symantec’s MessageLabs Intelligence2010 Annual Security Report. There was a substantial increase in the number of different malware strains blocked, due largely to the growth in polymorphic malware variants that allow a new version of the code to be generated quickly and easily, according to the report.
Two of the greatest challenges for IT security professionals are protecting an increasingly mobile workforce and the business world’s skyrocketing use of social media tools – which cyber criminals have recognized as a new means to conduct illegal activity and inflict harm.
Increasing broadband availability, combined with more users without computer security awareness gaining Internet access, is leading to high rates of malware infection in additional areas like East Africa.
Symantec predicts that in 2011, botnet controllers will begin hiding commands in plain view – within images or music files shared through file sharing or social networking sites.
IS Security Job Descriptions

The new and unknown Web threats designed to adapt to traditional methods and avoid detection keep IS security professionals on their toes. Their main responsibility is to analyze systems to prevent security breaches, loss of revenue and harm to brands, and protect confidential data.

Overview of IT Security Careers

IS security jobs can be found in organizations in the private, public and government sectors, worldwide. Employers need the skills and knowledge that experienced professionals bring. With advanced training and industry certification, you can pursue a career as an IS security engineer, IT security consultant or IS security manager. Additional experience and training can lead to executive IT security jobs like chief IT officer, director of information technology, senior IS security analyst, chief IS security officer, and IS security director.

IT security professionals are responsible for creating different methods to protect an organization against spyware and malware, while keeping Internet bandwidth available for business needs. They must also guard against employees’ improper Internet use, like visiting infected websites, and prevent loss of confidential information and data.

Different responsibilities come with varying levels of responsibility on the IS security career path. In mid-level positions like IS security engineer and IS security manager, job descriptions typically include duties like performing security design reviews, code audits and black box testing. They may also develop product specifications, plans, schedules and other written correspondence. Higher-level executives such as chief technology officers, IS security directors and chief information officers lead an organization’s IS security strategy, planning and supervisory activities, and directing an information systems security or information technology department.

IT Security Potential Salary

The U.S. Bureau of Labor Statistics (BLS) data from May, 2009 indicate computer and information systems managers earned average salaries of $120,640. Those in the 75th percentile earned around $143,590 per year, while the top 10% earned upwards of $166,400 annually.

Salary.com and PayScale.com records for December 2010 showed that IT and IS security managers, directors and executives had an annual base income in the following ranges:

IT and finance professionals, project managers and business professionals from a variety of backgrounds are affected by web threats. Those interested in pursuing a career in IS security should consider acquiring the in-demand information security skills and certification that today’s top employers require.

Landing an IS security job typically requires at least a bachelor’s degree, specialized IS security training and recognized credentials such as the Certified Information Systems Security Professional (CISSP ®) or Systems Security Certified Practitioner (SSCP®) certification through (ISC)2® or CompTIA (Computing Technology Industry Association) Security+™ certification. To develop these critical skills and prepare for certification exams, many professionals enroll in continuing professional education – such as the Master Certificate in Information Security programs offered 100% online by Villanova University.

When Hadoop started, it had a security problem. The spin from the various Hadoop vendors and proponents tended to be something like, “We see security as a front-end application issue.” This is what you say when you don’t have a good answer.

Since then, solutions like Apache Knox and Cloudera Manager have provided answers for authentication and authorization for basic database management functions. The underlying Hadoop Filesystem now incorporates Unix-like permissions.

This hasn’t completely quashed the issue, largely because of the way entrepreneurs think: If you can’t come up with a new idea, then plunk the S-word after the name of a new technology and you have a “BOLD IDEA FOR A NEW STARTUP!!!!” Rummage through the dustbin of recent history and you’ll find startups devoted to SOA security, AJAX security, open source security, and so on. Now we have big data security startups — and the money will roll right in! How do you launch a security startup? Scare people, of course.

The real security problem with Hadoop in particular and big data in general isn’t with everyday access rights — that took all of 10 minutes for the vendors and open source community to solve. The big problem is that when you aggregate a lot of data, you lose context. While I doubt many people are aggregating a lot of data without any context, aggregating any data means losing some context. A highly scalable architecture like Hadoop makes it feasible to store context, too, but checking all that context with each piece of data is an expensive proposition.

Here’s what you need to know about context: Though you learn all about authentication and authorization in any basic computer science course, the most important details are often skirted. Yes, you can get access to the database as a certain user, and yes, you can get access to the BankAccounts table, but which rows can you access? The more data you aggregate, the challenge of preserving granular rights and permissions grows.

How do you keep all of those data ownership and data context rules in place without killing the performance that caused you to choose a big data solution in the first place? Well, there are emerging technology solutions, such as Accumulo, created by the big data community — including everyone’s favorite member, the NSA.

Luckily, this has all been thought of before in research and in great detail. In fact, almost exactly one decade ago this was a hot topic. When you’re building your big data project that aggregates gobs of data from various places in the company and wondering about security, I suggest simply searching on “datawarehouse security.” Though 70 percent of the results will be vendor pitches or complaints about RBAC, you’ll find plenty of results that explain exactly how this was done before. Much of that previously published material describes neither technologies nor tools, but methodologies — and those more or less translate directly to big data.

This article, “Trust me: Big data is a huge security risk,” was originally published at InfoWorld.com. Keep up on the latest news in application development and read more of Andrew Oliver’s Strategic Developer blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.